We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Complying with the rules when posting privacy notices online

On October 28, 2014, the CFPB amended the consumer privacy rules of Regulation P to allow financial institutions to post privacy notices online rather than mailing the required annual notice each year. Some institutions are already taking advantage of this alternate delivery method. There are conditions to this option, however, and some institutions might not be satisfying those conditions. It is important to confirm that your institution is meeting the following conditions if you have decided to take advantage of the new rule:

No Opt Outs. The alternate delivery method can be used only if you do not share your customers’ information in any way for which the customer has the right to opt out under Regulation P or Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA). This provision of the FCRA is the one under which information that otherwise would be a “consumer report,” such as credit experience with third parties, may be shared with an affiliate for other than marketing purposes so long as the consumer is given an opt-out right.

Satisfy the FCRA Affiliate Sharing Rules. You must have previously satisfied the affiliate sharing rules of Section 624 of the FCRA or you do so other than by delivery of the annual Regulation P privacy notice. This provision seems to cause some confusion. Section 624 of the FCRA is the provision under which an affiliate of a financial institution that receives certain information (such as transaction information) may not use that information for marketing purposes unless the consumer is notified of such use and given a chance to opt out. The Section 624 notice would only need to be given one time so long as an institution honors consumers’ opt outs indefinitely, or could be delivered other than as part of a Regulation P privacy notice. Therefore, so long as you are not relying on the annual Regulation P privacy notice to satisfy Section 624, you satisfy this condition to the alternate method for delivery of your annual Regulation P notice.

No Changes to the Notice. The privacy notice you post online cannot have changed since consumers received the immediately previous notice, other than to eliminate categories of information that you disclose or categories of third parties to whom you disclose information. So, for example, if you previously shared information in a way that required that you to offer the consumer an opt-out right, you could stop such sharing. This would allow you to satisfy the no opt-out rule described above and post your modified privacy notice online.

Model Notice. You must use the model form of privacy notice included in Regulation P.

Notify Consumers of the Posting. You must notify your customers each year that your privacy notice is available online and that it will be mailed to customers who request it by telephone. This notice can be provided on an account statement, coupon book, or any other notice or disclosure that you are required or expressly and specifically permitted to issue to the customer under any other provision of law.

Post the Notice Continuously in a Public Location. Your privacy notice must be posted continuously and in a clear and conspicuous manner on a page of your Web site that consists only of the privacy notice and that can be accessed by consumers without having to log in, provide a password or agree to any conditions.

Mail Upon Request. If any customer requests a copy of the privacy notice by telephone, you must mail it to him or her within 10 days.

This alternate method for delivery of the annual Regulation P privacy notice will be attractive to many financial institutions, but don’t forget these conditions to this method.